Bug 1159924 - (CVE-2019-11046) VUL-0: CVE-2019-11046: php5,php72,php7,php53: OOB read in bc_shift_addsub
(CVE-2019-11046)
VUL-0: CVE-2019-11046: php5,php72,php7,php53: OOB read in bc_shift_addsub
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/249635/
CVSSv3:SUSE:CVE-2019-11046:5.3:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-12-30 16:38 UTC by Alexander Bergmann
Modified: 2020-04-29 13:46 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2019-12-30 16:38:51 UTC
rh#1786567

A vulnerability was found in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren't ASCII numbers. This can read to disclosure of the content of some memory locations.

Reference:
https://bugs.php.net/bug.php?id=78878

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1786567
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11046
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11046.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11046
https://bugs.php.net/bug.php?id=78878
Comment 1 Petr Gajdos 2020-01-02 11:46:34 UTC
I cannot reproduce. I get everywhere:

$ valgrind  -q php test.php
PHP Notice:  Use of undefined constant ²6483605105519922841849335928742092 - assumed '²6483605105519922841849335928742092' in /159924/test.php on line 3
bc math warning: non-zero scale in modulus
0$

(compare with [2019-11-29 07:37 UTC] thomas-josef dot riedmaier at siemens dot com in the upstream bug)
Comment 2 Petr Gajdos 2020-01-02 11:48:09 UTC
Patch applies cleanly everywhere.

Will submit for: 15/php7, 12/php72, 12/php7, 11sp3/php53, 11/php5 and 10sp3/php5.
Comment 3 Petr Gajdos 2020-01-02 13:45:25 UTC
(Testcase from the upstream bug.)
Comment 4 Petr Gajdos 2020-01-02 15:30:38 UTC
I have also submitted 7.3.13 version update into 15sp2.
Comment 5 Petr Gajdos 2020-01-02 15:59:42 UTC
Packages submitted. I believe all fixed.
Comment 7 Swamp Workflow Management 2020-01-08 15:32:01 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2020-01-22.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64405
Comment 8 Swamp Workflow Management 2020-01-14 23:12:41 UTC
SUSE-SU-2020:0101-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1159922,1159923,1159924,1159927
CVE References: CVE-2019-11045,CVE-2019-11046,CVE-2019-11047,CVE-2019-11050
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP1 (src):    php7-7.2.5-4.49.1
SUSE Linux Enterprise Module for Web Scripting 15 (src):    php7-7.2.5-4.49.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src):    php7-7.2.5-4.49.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    php7-7.2.5-4.49.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    php7-7.2.5-4.49.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2020-01-20 17:19:35 UTC
openSUSE-SU-2020:0080-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1159922,1159923,1159924,1159927
CVE References: CVE-2019-11045,CVE-2019-11046,CVE-2019-11047,CVE-2019-11050
Sources used:
openSUSE Leap 15.1 (src):    php7-7.2.5-lp151.6.19.2, php7-test-7.2.5-lp151.6.19.2
Comment 10 Swamp Workflow Management 2020-01-30 20:19:46 UTC
SUSE-SU-2020:0267-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1159922,1159923,1159924,1159927
CVE References: CVE-2019-11045,CVE-2019-11046,CVE-2019-11047,CVE-2019-11050
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    php72-7.2.5-1.32.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    php72-7.2.5-1.32.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php72-7.2.5-1.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2020-02-06 20:12:29 UTC
SUSE-SU-2020:0352-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1159922,1159923,1159924,1159927
CVE References: CVE-2019-11045,CVE-2019-11046,CVE-2019-11047,CVE-2019-11050
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    php7-7.0.7-50.91.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    php7-7.0.7-50.91.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-50.91.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Petr Gajdos 2020-02-10 14:52:09 UTC
Submitted also for devel:languages:php:php56/php5.
Submitted also for 12/php5.
Comment 16 Swamp Workflow Management 2020-02-24 14:11:48 UTC
SUSE-SU-2020:14289-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1159922,1159923,1159924,1159927,1161982,1162629
CVE References: CVE-2019-11045,CVE-2019-11046,CVE-2019-11047,CVE-2019-11050,CVE-2019-20433,CVE-2020-7059
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    php53-5.3.17-112.79.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    php53-5.3.17-112.79.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-112.79.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    php53-5.3.17-112.79.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2020-02-28 14:26:37 UTC
SUSE-SU-2020:0522-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1145095,1146360,1154999,1159922,1159923,1159924,1159927,1161982,1162629,1162632
CVE References: CVE-2019-11041,CVE-2019-11042,CVE-2019-11043,CVE-2019-11045,CVE-2019-11046,CVE-2019-11047,CVE-2019-11050,CVE-2020-7059,CVE-2020-7060
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    php5-5.5.14-109.68.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-109.68.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Alexandros Toptsoglou 2020-04-29 13:46:43 UTC
Done